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Who we are 



ERNW 

Living Security. 



■ Old-school network geeks. 

■ Working as security researchers for Germany based 
ERNW GmbH. 

■ Fiddling around with devices and protocols makes the 
majority of our days. 



We really like Shmoo ;-) 
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Dimensions of this talk 
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■ We want you to reflect on the way $TECHNOLOGIES work 

■ => Some discussion of trust models 

1 If you consider this "some esoteric shit". . . use your ShmooBalls ;-) 

■ We want you to have a mild laughter 

3 That's why we included that "bingo stuff (see next slide) 
1 But, honestly, quite some time this is not too funny. . . 



We want to entertain you 

1 Some demos might help to achieve this (the "Meat!" sections) 



Bingo [www.crypto.com/bingo/pr] 
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BGP 
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Border Gateway Protocol 

Most current version as of RFC 1771 (March 1995) 



■ The glue that keeps the internet together. 

■ Has an interesting trust model. 

■ Was subject of some heavy debate last year. 



BGP - How it works 
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■ BGP speakers ("peers") establish relationships with 
neighboring peers 

■ BGP works over /relies on TCP 

■ => no multicasting (=> you can't easily join a "group of BGP speakers") 

■ No (easy) spoofing 

■ Peers announce "Network Layer Reachability Information' 3 
(NLRI) 

■ Think: "I know that some network can be reached via some way" 



NLRIs (+ attributes) serve for path building/calculation. 



BGP Trust Model 
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■ TCP based => mostly configured manually / by script 

■ => "Intra Operator Trust" 
[amongst humans] 




■ Error prone 

■ AS7007 Incident 
1 YouTube / Pakistan 



■ Once you're a member of the "old boys club" you might 
perform all sorts of nasty stuff. 

■ Pilosov / Kapela 2008 



Internet 



BGP security mechanisms 
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MD5 signature, mainly for integrity checking 

a Uses "generic TCP MD5 Signature Option" (RFC 2385) 

Certainly that bell in your head just rang... yes: "MD5" 

■ Anybody attended 25C3 recently? ;-) 

n Still, similar attacks would be quite difficult. 

■ And "they're working on it" 

■ http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcp-auth-opt-02.txt 



Use of MD5 key secured BGP considered carrier BCP 

■ Does it really add security value? 



Meat! 
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ERNW tool "bgp_cli" 

1 Initially research tool for a student writing about trust (Hi Micele!) 

■ Can be used to manually inject routes (role of "valid peer" assumed) 

■ Can be used to bruteforce MD5 keys 

m In a direct session-based manner 



ERNW tool "bgp_md5crack" 

Written in C =>fast! 
1 Can work "live" on interface or on pcap file 



■ Demos ;-) 



For completeness' sake 
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■ The BGP key used in the campus backbone of a 40K user 
environment we audited a while ago: 




Enterthe Cisco Encrypted Password: 
|070C285F4D06| 



Reset! | GetHelp! | GetOut! | 



MPLS 
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Multiprotocol Label Switching [RFC 3031 et.al.] 

Technology used for forwarding packets, based on Labels 
Packets may carry multiple labels (for different purposes). 

Deployed in most carrier backbones. 



■ We are going to cover only a subset of MPLS technologies 
called "MPLS Layer 3 VPNs". 

■ To be found in most $$$ enterpri. for their global networks. 



MPLS Layer 3 VPNs 



ERNW 

Living Security. 



■ MPLS-based technology [mainly RFC 4364] with it's own 
concepts and terminology. 

■ Comparable to Frame Relay/ATM in some respects. 

■ Highly 'virtual' technology (shared infrastructure, 
separated routing). 

■ Additional (MPLS-) labels are used to establish logical 
paths/circuits for the traffic of single customers. 

■ Very flexible with regard to topologies. 



MPLS VPNs - Terminology 
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P network (Provider network) 

■ The ISP's backbone 
P router (Provider router) 

■ Backbone router of ISP 
PE router (Provider Edge router) 

■ ISP's router responsible for 
connecting the CE device to 
MPLS backbone 

C network (Customer network) 

■ The customer's network 

CE router (Customer Edge router) 

■ Router connecting the C network 
to the PE (may be under control 
of customer or ISP) 



CE-Router 
VPN-Site 




P-Router 



PE-Router PE-Router 

P-Network 



CE-Router 
VPN-Site 



During transport two labels are used: one to 
identify the 'egress PE', the other one to identify 
the customer/a particular VPN. 



MPLS Layer 3 VPNs 



ERNW 

Living Security. 



CE 
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Virtual VPN routing 
tables 




MPLS Layer 3 VPNs 
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A more complex view 




Customer 
networks 



MPLS provider 
network 



Customer 
networks 



What happens here in detail 
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PE routers assign labels to prefixes per VPN (route distinguisher). 
This information (label, route distinguisher, prefix) is then 
exchanged between PEs by Multiprotocol BGP [RFC 2283]. 
=> one PE knows which other PE is responsible for a given prefix 
in a given VPN. 

When a packet leaves an ingress PE, usually the packet has 
(at least) two labels: 

- one 'forwarding label' for transport to the egress PE across the 
backbone. 

- a second one identifies the VPN (and prefix) of the destination. 



In short: "labels do the whole VPN thing here". 



MPLS VPNs, Trust Model 



ERNW 

Living Security. 



Trusted Core (= Carrier network) is assumed. 
No attacks from outside the core possible. 
No additional security controls available 

■ "Trust my blue eyes!" 

1 Oh yes, there is MD5 protected LDP... please, would anybody mind 
explaining us the underlying threat model? 



Source of grim debates between 
$Corp_Global_NW_Team 
and $Corp_lnfo_Sec. 
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YOU'RE 
PARANOID 



Meat! 
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ERNW Tool "mpls_redirect" 

3 Assumes attacker has access to traffic path (in core). 

■ Command line tool 

■ Modifies "VPN labels" of packets 

■ => Redirects traffic from one customer to another "customer" 
[yes, you clever guys, that's what the name came from...] 



Demo 
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^172.31.2.2 i 



What does this mean? 
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■ It's not only about re-direction, it's about injection, too. 

Maybe we should have given another name to the tool ;-) 

■ Attacker can get into VPNs. 

■ Attacker can set up fake "central authorization portal" and re-direct an 
enterprise's traffic to it. 

■ Same for DNS 

B Same for LDAP 
s Same for... 



Use your imagination ;-) 



Mitigating controls 
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■ "Trust your carrier" 

■ This was _not_ a joke ;-) ... if you do, you're fine. We're fine, too. 

■ Contractual controls might kick in. 



■ "Authenticate everything". 

1 Breaks approach of "trusted networks" 



WE THINK 

IT IS 

SECURE 

ENOUGH 



Implement "borders of trust" (e.g. L3 devices) that 
encrypt/decrypt all inbound traffic on a site level. 



Definition of Carrier Ethernet 
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Carrier Ethernet basically means that 
ethernet frames are transported across 
(at least) one carrier's backbone. 

So ethernet is not (only) used as an 
access medium here, but offered as a 
service. 

Technologies 

■ Metro Ethernet 
EoMPLS / VPLS 

■ L2TPv3 










Example: Ethernet over MPLS 
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Change of (ethernet) trust model 




iZone of Trust* 


\ 


Customer 
Site B 


i 



-Zone Qf_Trust_ 
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Full vs. Partial Transparency 
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Depending on the (carrier's) service/product, potentially 
the devices used and the configuration of PE and CE the 
connection may or may not provide full transparency. 

"Full transparency" means, that all BPDUs (including e.g. 
STP, DTP, VTP, GVRP, LACP, 802.1x packets and the like) 
and all Layer2 Headers (incl. VLAN tags, CoS) are 
transparently transported from one site to another/others 
across the cloud. 

In contrast "partial transparency" means that some of the 
BPDUs or header information is filtered/discarded when 
entering the cloud. 



Security threats arising from this change 



ERNW 

Living Security. 



Existing threats have new scope 

1 Ethernet based attacks may be performed "over the cloud" 

■ E.g. attacker in site Brussels might arp-spoof(= read) traffic from site Amsterdam. 

Misconfigurations will have larger impact 

■ What about that old C2980 with a high VTP rev.-number, accidentally re-plugged in? 



New threats may show up 

Existing ethernet protocol space not designed for worldwide networks. 

■ Spanning Tree dates from 1980s. 

B Again: their whole trust model is built around a concept of "local networks". 

1 Segmentation capabilities of technologies involved may not be sufficient 
for some security needs. 



Traditional Ethernet Attacks 
"over the cloud" 



ERNW 

Living Security. 



Depend highly on the level of transparency a "VPLS cloud" provides. 

Given full transparency (as in Juniper-based testbed we used)... 

... you can perform any traditional layer 2 attack over the cloud. 

We tested this successfully with yersinia. 

From an attacker's perspective this is pretty cool: sitting in Brussels and 

arp-spoofing some boxes located in Amsterdam... 




Site Brussels 



VTP over the cloud 



Demo 
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Potential Problem with IEEE 802. 1Q ERNW 
Tunneling and Native VLANs 




802. 1Q 

trunk port 

VLANs 30-40 

Native VLAN 40 



Switch A 
Customer X 



Trunk 

Asymmetric link 

Correct path for traffic 

Incorrect path for traffic due to misconfiguration 
of native VLAN by sending port on Switch B 



Q 802.1 Q trunk port 



Wrap-up on Carrier Ethernet 
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■ Interesting approach ("as networkers" we pretty much like 

it). 



Changes whole trust model of Ethernet 

Might have large security implications. 



■ Combination of attacks (e.g. from this talk) possible 

■ Think of injecting bogus ARP packets into a site subsequently forcing 
intra-site traffic going "out" to the cloud... 

= Wait for ShmooCon 2010 ;-) 



Save the best for last 
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NOBODY 
WfLL EVER 

TRY TO 
DO THIS 



Some fun with MP-BGP. 



Summary & Outlook 
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■ There are some backbone technologies with a 
"debatable" trust model 

■ And "debatable" resulting security controls / control capabilities 



■ Our talk's intent was to made you aware of that. 
It's just that simple ;-) 



Questions? 
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Thanks for your attention 
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Whatever you do... always remember the following two: 

■ Ross Callon in RFC 1925: 

"Some things in networking can never be fully understood by 
someone who neither builds commercial networking equipment nor 
runs an operational network." 

=> If really interested in this stuff get your hands on some devices ;-) 

■ Simplicity Principle from 
http://tools.ietf.org/html/draft-ymbk-arch-guidelines-05 



